调用AWS API接口跨国际到海外的HTTPS流量会受到某些已知因素的影响,导致TLSv1.3的流量受到影响。
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
https://www.medianama.com/2020/08/223-china-blocks-https-traffic/
https://www.theregister.com/2020/08/11/china_blocking_tls_1_3_esni/
当client–server最终协商使用TLSv1.2加密时,抓包中可以看到Client Hello及后续Data传输均为Protocol为TLSv1.2。 当client–server使用TLSv1.3加密时,抓包中可以看到Client Hello的Protocol为TLSv1。而这种“降级”的现象,从一些文档中提到,通常中间设备或浏览器等,在遇到连接失败,协议不当时,则会尝试downgrade降级处理。 https://zhuanlan.zhihu.com/p/33489365
处理正常的请求最终应该是双方选择TLS1.2进行的;而当选择TLSv1.3加密的那次请求,则可能被’已知因素‘丢弃。 因此从抓包也可以看到客户端的多次TCP重传。
为解决以上问题AWS 中有介绍:
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/security.html#enforcing-tls-1-2
以上方法有些复杂,
简洁方式可参考:https://github.com/boto/botocore/issues/2488
在原有代码的基础上进行了简单修改:
from botocore import httpsession
from urllib3.util.ssl_ import (
OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION
)
from _ssl import (OP_NO_TLSv1, OP_NO_TLSv1_1,OP_NO_TLSv1_2,OP_NO_TLSv1_3)
def custom_create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None):
if options is None:
options = 0
# Default options from botocore
# SSLv2 is easily broken and is considered harmful and dangerous
options |= OP_NO_SSLv2
# SSLv3 has several problems and is now dangerous
options |= OP_NO_SSLv3
# Disable compression to prevent CRIME attacks for OpenSSL 1.0+
# (issue urllib3#309)
options |= OP_NO_COMPRESSION
# OUR new options
options |= OP_NO_TLSv1
options |= OP_NO_TLSv1_1
options |= OP_NO_TLSv1_3
#options |= OP_NO_TLSv1_2
return httpsession._original_create_urllib3_context(options=options)
在python代码的开始增加以下代码:
httpsession._original_create_urllib3_context = httpsession.create_urllib3_context
httpsession.create_urllib3_context = custom_create_urllib3_context
转载请注明:Kermit的网站 » boto3 Enforcing TLS 1.2